12-26-2011 11:57 AM
Background: I downloaded Nirsoft's wirelesskeyview tool to recover a network key on a Vista machine on my network, when I didn't remember it, and wanted to add a visitor's device. I wanted to recover it rather than reset the key on my router and have to re-key all the other devices on the network. (It could not be recovered on the Vista's wireless management screen because the show-characters box was grayed out/unchecked. I did recover the key from another device where it was visible on the wireless management screen.)
The issue: The Norton AV Auto-Protect blocked the wirelesskeyview.exe, and classified it as a high-risk Trojan.Gen.2. Nirsoft acknowledges the problem with some AV detectors, but claims it is OK. Is this a false positive or is it really a trojan? Or is it just a powerfull tool that could be used by an invading virus or trojan? If the later, it would be better for Norton to ask the user if it's execution was intentional, rather than just block it unconditionally.
Solved! Go to Solution.
12-27-2011 10:19 AM
It seems to be a consensus from multiple sources that the product is not a Trojan (but may be downloaded and used by some malware). The problem I am now having with the Norton Security Suite is that when I tell it to restore the file from quarantine, it does so, but quickly re-quanantines it. So how do I make the AV mechanism leave it to me to decide what to do with it?
12-27-2011 10:44 AM
Could you clarify which Norton Product you are using: Norton AntiVIrus / Norton Internet Secuirity / Norton 360 .... or possibly Norton Security Suite which I think is a COMCAST name for a version of Norton 360 with some differences and which is supported in the Other Norton Products Forum here ....
12-27-2011 02:22 PM
I want to add that even though I added the file wirelesskeyview.exe to the exeception lists, it was still nailed by Auto-Protect as soon as I opened the folder containing it.
12-27-2011 02:50 PM - edited 12-27-2011 03:07 PM
Thanks for clarifying what you have for security protection.
I don't think it matters very much which product forum you are in since N 360 uses similar although not so uptodate AV engines as NIS or NAV.
As others have said Nirsoft are thoroughly trustworthy. Your experience does indicate that malware is more a way of using someething than what it necessarily is!
Since I have NIS 2012 installed I'll try downloading and opening that file and let you know what happens .... I hope.
OK I downloaded the zip file from Nirsoft with no flag from Norton
I then used 7-zip to extract the exe file from the zip into a folder to run it and NIS 2012 stopped this action and put up a message with the details. It did not delete anything.
So I turned off Autoprotect and then repeated the extraction with no problem and then ran the exe with no interruption from NIS 2012.
It did not actually find any wireless keys I might have on my router probably because Nirsoft say they have a problem due to a change MS made in the encryptation on Nirsoft say they can get round this but it may crash the computer .....
But so far as I can see with what I did and with NIS 2012 Norton deals with this responsably -- it does not stop the package from being downloaded [NOTE that I have check inside compressed files permanently OFF in order to save scan time and recognizing that it will (as it did here) flag if I open the compressed file] but it stops you installing the active element unless you disable AutoProtect, which when you go to do it imposes a time limit unless you deliberately bypass it.
I know N360 has fewer tweakable settings than NIS so I don't know if you can disable autoprotect in it or not, nor whether this extends to the COMCAST version that you have.
12-28-2011 08:27 AM
Just an update on my situation with the wirelesskeylogger -- this morning after booting up I got a popup from NIS saying it had detected and dealt with this "trojan".
This would be because I had turned back on autoprotect, I guess, after doing the test yesterday.
What it did was get rid of the installed copy that I had extracted from the downloaded zip file but that file was still in my Download folder since I leave ON the Do not check inside compressed files setting.
So if I were to need it again I could disable AutoProtect and then extract and use the file. Then retore Norton to full protection when I'd done the job.
This does not strike me as unreasonable when using a file that is capable of destroying your security if run remotely.
12-28-2011 09:04 AM
It worked for me also when I turned off compressed file scans and auto-protect. Still don't understand why the file was still blocked the way I tried before (put it in the exclusion lists and restored from quarantine). Perhaps the exclusion list needed a full path name and not just the file name.
At any rate your way works, and I can see the network key - not only for the current network, but also wi-fi network keys for other networks this laptop was connected to in the past. Wirelesskeyview is a nice tool!
12-28-2011 02:08 PM
Glad that worked for you too.
Someone here will know more about the exclusions but I think you may be right about putting in the full path.
Anyway if you keep the zip file with the exe in and leave the compressed file check OFF (on the grounds that it will be checked the moment you or anything tries to open the compressed file for any purpose) you won't have to download again although Nirsoft do update so it might be a good idea anyway.
I hope it didn't crack your neighbors wifi as well! <g>